This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Migrating to new firewall with VLANs

Migrating to new firewall with VLANs

Go to solution
RayR
New Contributor

‎09-21-2020 03:18 PM

Good Morning everyone,

 

We are running Extreme X690’s for our core.  This currently does our VLAN routing for us, with a default gateway to an old firewall that is not configured for VLANs (its being sent untagged packets).

 

We have a new firewall I am installing and it is now required to have the new firewall be passed the VLANs so we can handle any firewalling/routing between those VLANs.  I have configured the new firewall with appropriate VLAN interfaces, and trunked the appropriate VLANs to it from the core with TAGs.  Each VLAN interface on the firewall has its own IP (for example 10.165.8.254, 10.165.18.254, 10.165.22.84, etc).  In testing I can ping these IPs from the respective VLANS, so that looks OK from what I can tell.  So far, so good I hope.

 

Here comes the part where I admit I am NOT an network engineer.  🙂  How do I change the core so that each VLAN will report to its own gateway IP?  Currently the default gateway of the switches reports to 10.165.8.254, which I do not believe will work if we need to firewall between these VLANs.  Shouldn’t each VLAN report to its own gateway on the subnet?

 

Any help is appreciated.  Hopefully I’m on the right track.  The new firewall is not live yet, but I am hoping to figure this out ahead of time to save me a weekend of debugging trying to get this live in October.

Thanks in advance!

Ray

 

 

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Stefan_K_
Valued Contributor

‎09-21-2020 07:11 PM

Yes, VRRP is in use because your Core-Switches are two standalone switches (and no stack/chassis/vsb...). The two X690 share the virtual ip address 10.165.18.1 - one of the two switches has a higher priority and is the Master. The Backup will become the master if the Master fails.

And yes, in your Case you can disable vrrp since your Core-Switches won’t route any more.

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1

is the command to delete the virtual ip address. You can look up the current vrrp config by issuing

show configuration vrrp

To completely remove it, use these commands:

configure vrrp vlan CLIENTS vrid 118 delete 10.165.18.1
delete vrrp vlan CLIENTS vrid 118
disable vrrp

(deleting the vrrp might be enough, but I’m currently unsure if you can delete a vrrp on a vlan if there is still a virtual ip configured)

to remove the ip address and disable ip-forwarding:

unconfigure vlan CLIENTS ipaddress
disable ipforwarding vlan CLIENTS

If your new firewall is also a cluster it will most likely also use vrrp, although you probably won’t have to configure it. 🙂

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Stefan_K_
Valued Contributor

‎09-21-2020 03:49 PM

Hello,

the things you said make sense, so I don’t really understand what your problems are. b284bba522fb4d3b9c1fdd710c29d089_1f601.png

the firewall has the same IP-Addresses on its VLAN-interfaces as the X690? Then you just have to unconfigure the IP-Addresses from the X690. The X690 will switch the tagged packets to firewall. The firewall will be the new gateway for the vlans and handle all the traffic/routing.

You only might need to configure a new IP-Interface on the X690 for the management of the switch itself (after you have unconfigured all IP-addresses.)

Simple example:
You have VLANs 10,20,30. VLAN30 is used for Switch/Network-Mgmt.
Firewall is connected to Port 1 of the X690, Edge-Switches are connected to Port 2-9.
You tag VLAN 10,20 and 30 on Port 1 to 9.
Firewall has 1 physical interfaces (connected to Port 1 of the X690) which has 3 VLAN interfaces: VLAN10, 20 and 30. The IP-Addresses of these VLANs are the old IP-Addresses of the X690 (so you don’t have to change DHCP-Settings or static configurations on some devices)
You unconfigure all IP-Addresses of the X690.
The firewall-interfaces are now reachable from the VLANs.
Configure a new IP-Address on VLAN30 on the X690. Default Gateway of the X690 is the IP-Address of the firewall (on VLAN30). X690 is now manageable again.

I hope my text is not too confusing… If you have any questions, feel free to ask.

Best regards
Stefan

0 Kudos
GTM-P2G8KFN